Understanding How Security Works for Phones

At installation, Cisco Unified Communications Manager boots up in nonsecure mode. When the phones boot up after the Cisco Unified Communications Manager installation, all devices register as nonsecure with Cisco Unified Communications Manager.

After you upgrade from Cisco Unified Communications Manager 4.0(1) or a later release, the phones boot up in the device security mode that you enabled prior to the upgrade; all devices register by using the chosen security mode.

The Cisco Unified Communications Manager installation creates a self-signed certificate on the Cisco Unified Communications Manager and TFTP server. You may also choose to use a third-party, CA-signed certificate for Cisco Unified Communications Manager instead of the self-signed certificate. After you configure authentication, Cisco Unified Communications Manager uses the certificate to authenticate with supported Cisco Unified IP Phones. After a certificate exists on the Cisco Unified Communications Manager and TFTP server, Cisco Unified Communications Manager does not reissue the certificates during each Cisco Unified Communications Manager upgrade. You must create a new CTL file with the new certificate entries.

Cisco Unified Communications Manager maintains the authentication and encryption status at the device level. If all devices that are involved in the call register as secure, the call status registers as secure. If one device registers as nonsecure, the call registers as nonsecure, even if the phone of the caller or recipient registers as secure.

Cisco Unified Communications Manager retains the authentication and encryption status of the device when a user uses Cisco Extension Mobility. Cisco Unified Communications Manager also retains the authentication and encryption status of the device when shared lines are configured.

Tip When you configure a shared line for an encrypted Cisco Unified IP Phone, configure all devices that share the lines for encryption; that is, ensure that you set the device security mode for all devices to encrypted by applying a security profile that supports encryption.

Supported Phone Models

For a list of security features that are supported on your phone, refer to the phone administration and user documentation that supports this Cisco Unified Communications Manager release or the firmware documentation that supports your firmware load.

Although you may be able to configure the security features in Cisco Unified Communications Manager Administration, the features may not work until you install a compatible firmware load on the Cisco TFTP server.

Viewing Security Settings on the Phone

You can configure and view certain security-related settings on phones that support security; for example, you can view whether a phone has a locally significant certificate or manufacture-installed certificate installed. For additional information on the security menu and icons, refer to the Cisco Unified IP Phone administration and user documentation that supports your phone model and this version of Cisco Unified Communications Manager.

When Cisco Unified Communications Manager classifies a call as authenticated or encrypted, an icon displays on the phone to indicate the call state. To determine when Cisco Unified Communications Manager classifies the call as authenticated or encrypted, refer to the "Security Icons" section and the "Interactions and Restrictions" section.

On Cisco Unified IP Phone 7960G or 7940G (SIP only), enter the digest authentication username and password (digest credentials) that you configured in the End User Configuration window.

This document does not provide procedures on how to enter the digest authentication credentials on the phone. For information on how to perform this task, refer to the Cisco Unified IP Phone administration guide that supports your phone model and this version of Cisco Unified Communications Manager.

Step 8

Encrypt the phone configuration file, if the phone supports this functionality.